Ivanti patches Connect Secure zero-day exploited since mid-March
Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.
Tracked as CVE-2025-22457, this critical security flaw is due to a stack-based buffer overflow weakness. It impacts Pulse Connect Secure 9.1x (which reached end-of-support in December), Ivanti Connect Secure 22.7R2.5 and earlier, Policy Secure, and Neurons for ZTA gateways.
According to Ivanti's advisory, remote threat actors can exploit it in high-complexity attacks that don't require authentication or user interaction. The company patched the vulnerability on February 11, 2025, with the release of Ivanti Connect Secure 22.7R2.6 after initially tagging it as a product bug.
"The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn't meet the requirements of denial of service," Ivanti said on Thursday.
"However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild. We encourage all customers to ensure they are running Ivanti Connect Secure 22.7R2.6 as soon as possible, which remediates the vulnerability."
While security patches for ZTA and Ivanti Policy Secure gateways are still in development and will be released on April 19 and April 21, respectively, Ivanti said that it's "not aware of any exploitation" targeting these gateways, which also have what "meaningfully reduced risk from this vulnerability."
Ivanti also advised admins to monitor their external Integrity Checker Tool (ICT) and look for web server crashes. If any signs of compromise are discovered, admins should factory reset impacted appliances and put them back in production using software version 22.7R2.6.
Product Name | Affected Version(s) | Resolved Version(s) | Patch Availability |
Ivanti Connect Secure | 22.7R2.5 and prior | 22.7R2.6 (released February 2025) | Download Portal |
Pulse Connect Secure (EoS) | 9.1R18.9 and prior | 22.7R2.6 | Contact Ivanti to migrate |
Ivanti Policy Secure | 22.7R1.3 and prior | 22.7R1.4 | April 21 |
ZTA Gateways | 22.8R2 and prior | 22.8R2.2 | April 19 |
Attacks linked to UNC5221 Chinese-nexus cyberspies
While Ivanti has yet to disclose more details regarding CVE-2025-22457 attacks, Mandiant and Google Threat Intelligence Group (GTIG) security researchers revealed today that a suspected China-nexus espionage actor exploited the vulnerability tracked as UNC5221 since at least mid-March 2025.
"Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the previously reported SPAWN ecosystem of malware attributed to UNC5221 was also observed," Mandiant said.
"We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution."
UNC5221 is known for targeting zero-day vulnerabilities in network edge devices since 2023, including various Ivanti and NetScaler appliances. Most recently, the Chinese hackers exploited CVE-2025-0282, another Ivanti Connect Secure buffer overflow, to drop new Dryhook and Phasejam malware on compromised VPN appliances.
One year ago, the hacking group also chained two Connect Secure and Policy Secure zero-days (CVE-2023-46805 and CVE-2024-21887) to remotely execute arbitrary commands on targeted ICS VPN and IPS network access control (NAC) appliances. One of their victims was the MITRE Corporation, which disclosed the breach in April 2024.
Threat intelligence company Volexity said in January 2024 that UNC5221 had backdoored over 2,100 Ivanti appliances using the GIFTEDVISITOR webshell in attacks chaining the two zero days.
As CISA and the FBI warned in January 2025, attackers are still breaching vulnerable networks using exploits targeting Ivanti Cloud Service Appliances (CSA) security vulnerabilities patched since September.
Multiple other Ivanti security flaws have been exploited as zero-days over the last year in widespread attacks against the company's VPN appliances and ICS, IPS, and ZTA gateways.
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Oracle privately confirms Cloud breach to customers
Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
Free online web security scanner